> If an organisation is looking to purchase or subscribe
> to a web application service, are there any security
> standards it can request the supplier to conform to?

The problem is one of definitions. What you're looking for is a "secure"
application, and that is all a matter of context, semantics and personal
appetite for risk. It's also a moving target (with new approaches and
techniques being introduced regularly), so whilst there are standards
around, the act of checking whether an application is compliant only has
any meaning at the point it is checked, and to a large part depends on
who is doing the checking.

A supplier that understands OWASP is a good place to start. But it won't
guarantee it is a secure app; just that it has slightly more chance of
it being so. ;)

The adoption standards are here (http://tinyurl.com/ckmvlnc). Not sure
what that has to do with web apps though. It's a strange world.